Data Security – tips to keep you safePW Data Group
Threats to data security are always emerging, here are some pointers to keep you safe:
In modern-day applications, data encryption has become an essential part of development. Every single piece of data has its own importance, and we can’t leave them vulnerable, without any encryption mechanisms or security features in place therefore data security is paramount.
Encryption of data has become a major safeguard for data which resides in databases, file systems and other applications which transmit this data. Given the magnitude of data security, one must follow the best practices while implementing encryption mechanisms and data security.
Decentralise the Process of Encryption and Decryption
This is an important aspect of designing and implementing a data security plan. The choice is to implement it at a local level and distribute it throughout the enterprise or to implement it at a central location on a separate encryption server. If the encryption and encryption processes are distributed one has to ensure the secured distribution and management. Software which performs the encryption at the file level, database level and application level is well known for providing the highest level of security while allowing users full access to the application. The decentralised approach of encryption and decryption has the advantages of:
- Higher performance
- Lower network bandwidth
- Higher availability
- Better transmission of data
Central Key Management with Distributed Execution
Any solution based on the hub-spoke architecture is considered to be a good architecture. This enables the encryption and decryption node to exist at any point within the enterprise network. The spoke key management component can easily be deployed onto different nodes and can be integrated with any encryption application. Once deployed and the spoke components are ready, all the encryption/decryption mechanisms are available at the node level, where the encryption/decryption task is performed. This approach reduces the data’s network trips. This approach also reduces the risk of application downtime because of the failure of the hub component.
Support for Multiple Encryption Mechanisms
Even if you have the best available encryption mechanism implemented, it is always advisable to have support for different encryption technologies. This becomes essential in cases of mergers and acquisitions. Having a security system in place which supports the major industry standard encryption algorithm ensures the organisation is well prepared to accept any new government rules and regulations.
Centralised User Profiles for Authentication
Given the sensitivity of data, it becomes essential to have an appropriate authentication mechanism in place. Access to these data should be based on the user profiles defined in the key manager. Only the authenticated users will be assigned and issued credentials to get access to the encrypted resources which are associated with the user profile. These user profiles are managed with the help of a user which has administrative rights in the key manager. In general, the best practice is to follow an approach where no single user or administrator has sole access to the keys.
No Decryption or Re-Encryption in Case of Key Rotation or Expiration
Every data field or file which is encrypted should have a key profile associated with it. This key profile has the ability to enable the application to identify the encrypted resources which should be used to decrypt the data field or file. Thus it is not required to decrypt a set of encrypted data and then re-encrypt them back when the keys expire or are changed. Freshly encrypted data would be decrypted using the latest key while for the existing data, the original key profile which was used for encryption will be searched and used for decryption.
Maintain Comprehensive Logs and Audit Trails
Each and every access to the set of data which is encrypted because of its high degree of sensitivity, should be logged in detail with the following information:
- Detail of the function which has accessed the sensitive data
- Detail of the user who has accessed the sensitive data
- Resources which are used to encrypt the data
- The data which is being accessed
- The time when the data is accessed
Common Encryption/Decryption Solution for the Entire Application
It is always the best practice to follow a common encryption mechanism to encrypt the fields, files and databases. The encryption mechanism needs not know the data it is encrypting or decrypting. One must identify the data which needs to be encrypted and also the mechanism. Once encrypted, the data becomes inaccessible and can be accessed only based on user rights. These user rights are application specific and need to be controlled by an administrative user.
It is a common approach in enterprises to have a large number of external devices. These devices may be point-of-sale (POS) devices which are dispersed over the network. These do not have typical database-oriented applications and are dedicated to single function, using proprietary tools. It is always a good approach to use an encryption mechanism which can be easily integrated with any third-party application.
One of the major aspects of data security is data backup. Given the magnitude of sensitivity, all data must be backed up on a daily basis. It is also important to restore the backed-up data and check the application for correctness.